The science of app-wrapping

BYOD brings out the classic problem between control of corporate information and individual freedom. It kicks it up to a whole new level because the devices belong to the users, but at least some of the apps and information belong to the company and as such need protection and policy enforcement.

One approach to this problem is mobile device management (MDM), but the problem with MDM is it requires managing a device that belongs to the user. What's more, containerization at the device level compromises the user experience. A better approach is mobile application management (MAM), which can be applied, as the name implies, at the application level, wrapping corporate apps and data, but not wrapping Facebook or Roku.

This approach provides a high level of administrative control while still offering a superior user experience for all mobile applications, both the wrapped and unwrapped, so to speak. So let's explore, at a high level, how app wrapping works.

The essential operation of app wrapping lies in setting up a dynamic library and adding to an existing binary that controls certain aspects of an application. For instance, at startup, you can change an app so that it requires authentication using a local passkey. Or you could intercept a communication so that it would be forced to use your company's virtual private network (VPN) or prevent that communication from reaching a particular application that holds sensitive data, such as QuickBooks.

The end result is the policies set by an administrator become a set of dynamic libraries, which are implemented on top of the application's native binary. On iOS, for example, using XCode, the developer can take an iPhone Application Archive (.ipa) file, add the dynamic libraries and create a new app that behaves differently when started, or when a certain type of communication happens. The normal call made by an app to an API is now "front-ended" to look in a local dynamic library for instructions.

This technique can be used to create advanced security processes, such as embedding an individual application's communication with an endpoint in a VPN the company controls. This VPN is outside the control of the application, but does not affect how the application looks or functions on the device. This is far superior to the alternative taken by many MDM vendors, which use a device-level VPN that requires all communications from the device to access the corporate VPN. That approach slows performance to a crawl and negatively impacts that most delicate commodity, battery life.

App wrapping can also apply a passkey to the clipboard of the device to intercept cut-and-paste activities. Clipboard contents will be encrypted or turned into illegible garbage if cut and paste is attempted when it's not allowed by the app. The purpose of this intervention is to prevent an employee (or someone who should not have the device) from copying information from a restricted application onto the device clipboard, where it could be made available to other apps on the device.

Most mobile devices have some form of native encryption, but app wrapping can significantly raise the protection bar by providing certified encryption on the Federal Information Processing Standard (FIPS) 140-2. When corporate data is at rest on the device, app wrapping can protect it using FIPS 140-2 Level I Suite B encryption libraries, the same level used by the U.S. Department of Defense Logistics Agency. It is decrypted only when the correct passcode is entered. Therefore, if an unauthorized party acquires the phone, they won't be able to read data even if they succeed in downloading it.

When a user "jailbreaks" an iOS or "roots" an Android device, they essentially remove all operating-system level protections against fraudulent or malicious use. Effective app wrapping technology, at a server level, must be able to detect whether a device has been jailbroken or rooted, then trigger a mechanism that prevents all enterprise-installed apps from running.

Of course, it is inevitable that, at some point, a phone or tablet will become lost, and both the corporate and personal data on it is at risk. In these scenarios, app wrapping offers at least two remedies.

One remedy remotely removes the applications and data over which the enterprise has established control. At the server level, effective app wrapping technology keeps an inventory of all applications deployed by the company. Any other apps or data are assumed to be personal.

If needed as a fail-safe mechanism, the server can do what MDM companies routinely do, which is remotely lock or wipe the phone, so that it is unusable by anyone. The problem with this approach in the MDM world is that it's the only option and so users are understandably hesitant to report their devices missing since they know that all their personal apps and information will be wiped when they tell IT that the device is missing.

There are times when wiping the device makes sense, but it's better (from everyone's point of view) to wipe out sensitive corporate information without impacting the user's own apps and data. Pictures of the 6-year-old's smile with the missing teeth can be preserved while sensitive corporate data is safely wiped most of the time. Since apps and data are synchronized, that corporate data is preserved on the server anyway (and hopefully the user knows how to keep that semi-toothless grin backed up as well).

App wrapping resolves many of the deficits of the essential enterprise mobility conundrum -- how to protect data while delivering a user experience on par with consumer devices. Setting controls at the app level provides much more subtle and even-handed control for enterprise IT than the draconian "on/off" conditions or downgraded performance and user experience of prior solutions. With techniques like app wrapping, enterprise mobility and BYOD will reach their full potential as indispensable platforms for productivity.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.